Where is the nuclear power community?
It has been a year since Congressmen Bennie Thompson and James Langevin sent a letter to Chairman Klein of the NRC with a series of questions related to the Browns Ferry 3 Nuclear Plant Broadcast Storm incident.
One of the questions was why the nuclear community was not working with the non-nuclear community since the non-nuclear community has much more experience with the same equipment than the nuclear community.
That question is certainly pertinent one year later. Over the past year, the non-nuclear community has held at least four major control system cyber security events that directly affected the control systems in nuclear power plants: PCSF, ISA POWID, Applied Control Solutions Control System Cyber Security Conference, and ISA Expo 2007.
With the exception of one nuclear plant person at PCSF, three nuclear plant personnel and a representative from the NRC at the Control System Cyber Security Conference, the Nuclear Energy Institute (NEI) and the nuclear plant control system cyber security community were nowhere to be seen.
Moreover, the nuclear industry has experienced another nuclear plant cyber incident since Browns Ferry.
In a conversation this morning with the cognizant NEI representative, he agreed that NEI-0404 is only a programmatic document and does not get into the details of how to secure control systems.
He then mentioned that Nuclear Information Technology Strategic Leadership (NITSL), which is primarily nuclear power IT personnel, are developing the policies and procedures to be used for control system cyber security.
As part of the technical leadership of the EPRI Y2K Program, I had experience working with NITSL – it was very IT-oriented. ISA S99 has been developing control system cyber security policies.
Yet there has been almost no participation from nuclear industry personnel (nuclear utilities, nuclear plant and equipment suppliers, nuclear plant Architect/Engineers, NEI, NITSL, and NRC) in this process.
I am told how serious the Chief Nuclear Officers believe cyber security is for their plants. Somehow, their actions, or lack thereof, belie this concern.
Joe Weiss